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Abstract: Several authors devised type-based termination criteria for ML-like 
languages (polymorphic \-calculi with inductive types and case analysis), that 
allows non- structural recursive calls. We extend these works to general rewriting 
and dependent types, hence providing a powerful termination criterion for the 
combination of rewriting and (3-reduction in the Calculus of Constructions. 

1 Introduction 

The Calculus of Constructions ^H] is a powerful type system allowing polymor- 
phic and dependent types. It is the basis of many proof assistants since it allows 
one to formalize the proofs of higher-order logic. In this context, it is essential 
to allow users to define functions and predicates in the most convenient way and 
to be able to decide whether a term is a proof of some proposition, and whether 
two terms/propositions are equivalent w.r.t. user definitions. As exemplified in 
OE], a promising approach is rewriting. To this end, we need powerful crite- 
ria to check the termination of higher-order rewrite-based definitions combined 
with /3-reduction. 

In a previous work ^U; we proved that such a combination is strongly nor- 
malizing if, on the one hand, first-order rewrite rules are strongly normalizing 
and non-duplicating 1 and, on the other hand, non first-order rewrite rules (called 
higher-order in the following) satisfies a termination criterion based on the no- 
tion of computability closure and similar to higher-order primitive recursion. 
Unfortunately, many interesting rewrite systems are either first-order and du- 
plicating, or higher-order with non-structural recursive calls (e.g. division on 
natural numbers 23 , Figure QJ. 

"Laboratoire Lorrain de Recherche en Infbrmatique et Automatique (LORIA) & Institut 
National de Recherche en Informatique et Automatique (INRIA), 615 rue du Jardin Botanique, 
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1 Strong normalization is not modular in general 1381 . It is modular for non-duplicating 
first-order rewrite systems |35| . Here, we do not have two non-duplicating first-order rewrite 
systems but a hierarchical combination of a higher-order rewrite system (satisfying strong 
termination conditions) built over a non-duplicating first-order rewrite system. 

2 1 x y denotes ["^prl- 

3 We use curried symbols all over the paper. 



Figure 1: Division on natural numbers 
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Hughes ei a/ |2§ a , Xi 02112, Gimenez et al |23 H] and Abel j2j devised 
termination criteria able to treat such examples by exploiting the way inductive 
types are usually interpreted [31] . Take for instance the addition 4 on Brouwer's 
ordinals ord (Figure EJ whose constructors are : ord, s : ord =4> ord and 

Urn : (not =>■ ord) =4- ord. 



Figure 2: Addition on Brouwer's ordinals 

(1) +Qx ^ x 

(2) + (sx) y -> s (+ x y) 

(3) + (lim f) y — > Zim ([x : nat](+ (/ x) y)) 



The usual computability-based technique for proving the termination of this 
function is to interpret ord by the fixpoint of the following monotone function 
<p on the powerset of SAf, the set of strongly normalizing terms, ordered by 
inclusion: 5 

ip(X) = {t € SAT | t ->* su =>■ u G X; t ->* limf ^Vue SAf, fu G X} 

The fixpoint of tp, [ord], can be reached by transfinite iteration and every 
t G [ord] is obtained after a smallest ordinal o(t) of iterations, the order of t. 
This naturally defines an ordering: t > u iff o(t) > o(u), with which we clearly 
have lim f > fu for all u G <SA/\ 

Now, applying this technique to nat, we can easily check that o(—tu) < o(t) 
and thus allow the recursive call with — xy in the definition of /. First note that 
— tu is computable (i.e. belongs to [nat]) iff all its reducts are computable (see 
Section We proceed by induction on o(t): 

- If — tu matches rule (1) then o(—tu) = o(t). 

- If — tu matches rule (2) then o(—tu) — < o(t). 

- If — tu matches rule (3) then t — st' and u = su'. By induction hypothesis, 
o(-t'u') < o(t'). Thus, o(-tu) = 1 + o(-t'u') < 1 + o(t') = o(t). 

- If —tu matches no rule then o(—tu) = < o(i). 

4 [x : T]u denotes the function which associates u to every x of type T. 
is the reflexive and transitive closure of the reduction relation —*. 
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The idea of the previously cited authors is to add this size/index/stage in- 
formation to the syntax in order to prove this automatically. Instead of a single 
type nat, they consider a family of types {nat a } a£LU , each type nat a being in- 
terpreted by the set obtained after a iterations of the function ip for nat. And 
they define a decidable type system in which minus (defined by fixpoint/ cases 
constructions in their work) can be typed by nat a =>■ nat 13 => nat a , where a 
and P are size variables, meaning that the order of —tu is not greater than the 
order of t. 

This can also be interpreted as a way to automatically prove theorems on 
the size of the result of a function w.r.t. the size of its arguments [HIE EH with 
application to complexity and resource bound certification, and compilation 
optimization (e.g. bound check elimination |3.4j, vector-based memoisation [16 ). 

In this paper, we extend this technique to the full Calculus of Algebraic Con- 
structions |ll whose type conversion rule depends on the user-defined rewrite 
rules, and to general rewrite-based definitions (including matching on defined 
symbols and rewriting modulo equational theories PJ) instead of definitions 
only based on letrec/ match (or fixpoint/ cases) constructions. Note that our 
work makes a heavy use of (and simplify) the techniques developed by Chen for 
studying the Calculus of Constructions with sub typing [15] . 

On the one hand, we allow a richer size algebra than the one in (2H1 [SI I2| (see 
Section EJ. On the other hand, we do not allow existential size variables and 
conditional rewriting 6 that are essential for capturing, for instance, the size- 
preserving property of quicksort (Example 01 and Mac Carty's "91" function 
(Example El respectively, as it can be done in Xi's work Note however 

that Xi is interested in the call-by-value normalization of closed simply-typed 
A-terms, while we are interested in the strong normalization of the open terms 
of the Calculus of Constructions. 

2 The Calculus of Algebraic Constructions with 
Size Annotations 

The Calculus of Constructions (CC) is the full Pure Type System with the set 
of sorts S — {*, □} and the axiom * : □ [3]. * is intended to be the universe 
of types and propositions, while □ is intended to be the universe of predicate 
types. Let X be the set of variables. 

The Calculus of Algebraic Constructions (CAC) is an extension of CC 
with a set T of function or predicate symbols defined by a set 1Z of (higher-order) 
rewrite rules I20| I30| . Every variable x (resp. symbol /) is equipped with a sort 
s x (resp. Sf). We denote by VT the set of defined symbols, that is, the set of 
symbols / such that there is a rule i^reK with I = fl, and by CT the set 
T \ T>T of constant symbols. We add a superscript s to restrict these sets to 
variables or symbols of sort s. 

6 The equivalent of if-then-else constructions in functional programming. 
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Now, we assume given a (sorted) first-order term algebra A — T(H.,Z), 
called the algebra of size expressions, built from a non-empty set TL of size 
symbols of fixed arity and a set Z of size variables. We assume that TLC\ T = 
Z n X — 0. Let V(t) be the set of size variables occurring in a term t. A 
renaming is an injection from a finite subset of Z to Z. 

We assume that, for every rule I — > r G 7\L, V(7) = V(r) = 0. Hence, if t — ► t' 
then, for all size substitution <p, tip — » 

We also assume that .4 is equipped with a quasi-ordering <^ stable by size 
substitution (i.e. if a <_4 b then, for all size substitution ip, aip <a bip) such 
that (A, <a) has a well-founded model (21, <a): 

Definition 1 (Size model) A pre-model of A is given by a set 21, an ordering 
<a on 21 and a function h<& from 21™ to 21 for every n-ary size symbol h E H. 
A size valuation is a function ^ from Z to 21, naturally extended to a function 
on A. A pre-model is a model if, for all size valuation v, av <a &f whenever 
a <a b. Such a model is well-founded if >% is well-founded. 

The Calculus of Algebraic Constructions with Size Annotations (CACSA) is 
an extension of CAC where constant predicate symbols are annotated by size 
expressions. The terms of CACSA are defined by the following grammar rule: 

t ::= s | x | C a | / | [x : t]t \ (x : t)t \ tt 

where C e CT a , f G T \ CT D and a G A. We denote by T A {T,X) the set 
of terms built from J 7 , X and A. Let T be the set of the underlying CAC 
terms and _ be the function erasing size annotations. Among CAC terms, we 
distinguish the following disjoint sets: 

- kinds: K E K ::= ★ | (x : t)K 

- predicates: P G V ::= / G T D \ x G X a \ (x : t)P \ [x : t]P | Pt 

- objects: o G O ::= f G T* \ x G X* | [x:t)o\ot 

where t G T is any CAC term. 

Finally, we assume that every symbol / is equipped with a type r/ = 
(x:f)U G T such that FV(r/) = 0, s/ = □ => V(r/) = 0, and fl^re 

n^\T\< \t\. 

We also assume that every symbol / is equipped with a set Mon + (/) C Af — 
{1, . . . , |x|} of monotone arguments and a set Mon~(/) C Af of anti-monotone 
arguments such that Mon + (/) n Mon _ (/) = 0. For a size symbol h, Mon + (/i) 
(resp. Mon~ (h)) is taken to be the arguments in which h<& is monotone (resp. 
anti-monotone) . 

An environment T is a sequence of pairs variable-term. Let t J, u iff there is 
v such that t ^* v *^ u. The typing rules of CACSA are given in Figured and 
its subtyping rules in Figure 03 W.l.o.g. we can assume that, for all /, r/ : Sf. 
We also assume that, for every rule I — > r G 1Z, there exist an environment T 
and a type T such that Tr : T. This is to make sure that r is not ill-formed (see 
Lemma 12 in jll|L 



4 



Since, in the (symb) rule, symbol types are applied to arbitrary size sub- 
stitutions ip, the name of size variables in symbol types is not relevant (size 
variables in symbol types are implicitly universally quantified). 

A substitution 6 preserves typing between T and A, written 6 : T ^ A, 
iff Ax9 : xT9 for all x 6 dom(T). A type-preserving substitution satisfies 
the following important substitution property: if Tt : T and 9 : T A then 

Ate ■. re. 

Figure 3: Subtyping rules 

T <T 

C a t<C b t (C eCT a ,a< A b) 

U' <U V < V 
(x : U)V < (x : U')V 

V < U' 

-^j- (T I V, U> I U) 

T < U U < V 
T < V 

In this paper, we make two important assumptions. 
Assumptions: 

(1) P U 1Z is confluent. This is the case for instance if 1Z is confluent and left- 
linear. Finding other sufficient conditions when there are type-level rewrite 
rules is an open problem. 

(2) 1Z preserves typing: if I — ► r € TZ and Tier : T then Tra : T. Finding 
sufficient conditions with subtyping and dependent types does not seem 
easy as shown by the following example. We leave the study of this problem 
for future work. 

Example 1 (Subject reduction) Assume that s G TL, not : *, s : nat a ^ 
nat sa , — : nat a nat 13 nat a , and let us prove that the rule — (sx)(sy) — > 
— xy preserves typing. Assume that T — (st)(su) : T. We must prove that 
r — tu : T . By inversion, V — (st) : (z-i : T2)£^2, Tsu : T 2 and U 2 }z2 l_ > su} < T . 
By inversion again, T— : (zi : Ti)U\, Tst : T\ and U\{z\ 1— > st} < (z 2 : T 2 )U2- 
Again, nat a nat b =*> nat a < (zi : T{)U U Ts : (z 3 : T 3 )U 3 , Ft : T 3 , U 3 {z 3 h-> 
t] < T u nat c =>• nat sc < {z 3 : T 3 )U 3 , Ts : (z 4 : T 4 )[/ 4 , Tu : T 4 , C/ 4 {z 4 i-> u} < T 2 
and nat d =4> nat sd < (z 4 : T 4 )C/ 4 . By LemmaQ] we have T 3 < nat c , nat sc < U 3 , 
Ti < nat d , nat sd < ?7 4 , T\ < nat a and nat b => nat a < U\. Again, since 
Ui{z\ 1 — * st} < (z2 : Ta)^, T% < nat b and nat a < U2. Therefore, since 
Tt : T 3 < nat c , Tu : T 4 < nat d and T— : nat c => nat d =>• nat c , we have 



(refl) 
(size) 

(prod) 
(conv) 
(trans) 
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Figure 4: Typing rules 



(ax) * : □ 

(size) -g-iH. (CeC^) 

(symb) ^f- (/^ D ) 
FT : s x 

(var) r x ■ Tx ■ T ^ ^ dom ( r ^ 

H : T TU :s x 

(weak) T x-Ut-T ^ $ dom ( r ^ 



(prod) 
(abs) 
(app) 



rC/:s T,x:UV:s' 
T(x : C/)F : a> 

T,x:Uv:V T(x:U)V:s 
T[x : U]v : {x : UjV 

Tt:(x: U)V Tu : U 
Ttu : V{x >-> u} 



, ^ Tt:T FT' :s 

(sub) f ^ (T < T) 



r — tu : nat c . Now, we must prove that nat c < T. First, nat c < nat sc < U3. 
Since U 3 {z 3 ^ t} < 7\, nat c < T x . Since nat a => nat b => nat a < (zi : T^Ui, 
Ti < nat a and nat b => nat a < U x . Since U x {z 1 i-> st} < (z 2 : T 2 )U 2 , nat b => 
nat a < (z 2 : T 2 )U 2 . Therefore, nat a < U 2 . Now, since U 2 {z 2 h-> su} < T, we 
indeed have nat c < T. 



3 Properties of subtyping 

Lemma 2 If U < V then, for all size substitution ip, Uip < Vip. 

Proof. Easy induction. ■ 

We now prove that the subtyping rule (trans) can be eliminated. 

Theorem 3 (Transitivity elimination) Let <t be the subtyping relation ob- 
tained without using (trans). Then, <t=<- 
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Proof. Section El 



This means that, in a subtyping derivation, we can always assume that there 
is no application of (trans) and that, in a typing derivation, there is no successive 
applications of (sub). 

Lemma 4 (Product compatibility) If (x : U)V < (x : U')V then U' < U 
and V < V. 

Proof. By case on the last rule of (x : U)V < (x : U')V . By confluence, we 
can assume that there is no successive applications of (conv) . This is immediate 
for (refl) and (prod), (symb) is not possible. For (conv), we have: 

(x : U)V | T < V | (x : U')V 
(x : U)V < (x : U')V> 

Then, we reason by case on the last rule of T < T'. 

(refl) In this case, T — T' . Therefore, by confluence, (x : U)V J. (x : U')V, 

U i U' and V I V. Thus, U' < U and V < V. 
(symb) Not possible since T = C a t has no common reduct with (x : U)V 

(since C is constant), 
(conv) Excluded. 

(prod) In this case, T = (x : Ui)V u T = [x : U 2 )V 2 , U 2 < U x and Vy <V 2 . 
By confluence U J. Ui, V j V\, U% J, U' and V 2 { V . Therefore, by conversion, 
V < U and V < V. U 

We now prove that the subtyping relation can be further simplified. Consider 
the following two admissible rules: 

T V V < W U' U 
(red) 



(exp) 



T < U 

T T T < U' U' U 



T < U 

(conv) can clearly be replaced by both (red) and (exp). 

Theorem 5 (Expansion elimination) Let < r be the subtyping relation with 
(red) instead of (conv). Then, <,=<. 

Proof. Section Hm ■ 

Now, let < s be the subtyping relation with (refl), (symb) and (prod) only. 

Lemma 6 T < U iff there exist V and V such that T ^* T < s U' *<- U. 
Furthermore, if T, U € VWV then T|< s U[. 
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Proof. The if-part is immediate. The only-if-part is easily proved by induc- 
tion on T < U. In the (red) case, if T — >* T" < U' * <— U then, by induction 
hypothesis, there exist T" and U" such that T ^* T" < s U" *<h- V . Therefore, 
T ->* T" < s U" *<- U. 

Now, HT,U G WW then Tj< U[. Thus, T|< s U[ since TJ. and C/| are not 
reducible. ■ 

Lemma 7 - For all s £ S, if T < s or s < T then T — ►* s. 

- For all K £ /C, if T < X or K < T then T ->■* T G /C. 

Proof. 

- If s < T then s < s T' *<— T. The only possible case is T" = s. If T < s then 
T — >* T' < 8 s. The only possible case is T' = s, 

- If T < K then T — »* T' < s if' *<— -ftT and if' G /C. Now, one can easily prove 
by induction that, if T < s K', then T" £ fC. If K < T then K -►* K' < s 
rpi *^ rp an j g jq Q ne can eag jjy prove by induction that, if K' < s T', 

then T £ K. ■ 

Theorem 8 (Decidability of subtyping) < is decidable whenever — ► is con- 
fluent, weakly normalizing and finitely branching (or confluent and strongly 
normalizing). 

Proof. Immediate consequence of Lemma El 

4 Properties of typing 

Lemma 9 If Tt : T then, for all size substitution -0, Tiptip : Tip. 

Proof. Easy induction. ■ 

Lemma 10 (Type correctness) If Tt : T then either T = □ or TT : s for 

some sort s. 

Proof. Easy induction. ■ 

Lemma 11 If T — ►* □ then T is not typable. 

- If Tt ; □ then t e /C. 

- If if G £ and TK : L then L = □. 

- If T — >* K € K. and TT : s then T G K and s = □. 

Proof. These properties are proved for CAC in ^l] (Lemma 11). Their 
proofs need only a few corrections based on Lemma to be valid for CACSA 
too. ■ 

Lemma 12 (Narrowing) If T, y : A, T't : T, B < A, TB : s y then T, y : 
B,T't : T. 
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Proof. By induction on T,y : A, T't : T. We only detail some cases. 

(var) There are two cases. Assume that we have TA : s y and T,y : Ay : A. 
Since TB : s y , by (var), T,y : By : B. Since B < A and TA : s y , by (sub), 
T,y:By:A. 

Assume now that we have T,y : A,T'T : s x and T,y : A,T',x : Tx : T. By 
induction hypothesis, T,y : B,T'T : s x . Thus, by (var), T,y : B,T',x : Tx : 
T. 

(weak) There are two cases. Assume that we have Tt : T, TA : s y and 
r, y : At : T. Since TB : s y , by (weak), T,y : Bt : T. 

Assume now that we have r, y : A, T't : T, T,y : A, T'U : s x and T, y : 
A, r, x : Ut : T. By induction hypothesis, T,y : B, T't : T and T, y : B, TV : 
s x . Thus, by (weak), T,y : B, T', x:Ut:T. U 

Theorem 13 (/3-Subject reduction) If Tt : T and t t' then Tt' : T . 

Proof. By induction on Tt : T, we also prove that, if T T', then 
T't : T. We only detail the case of a /3-head reduction. Assume that we have 
T[x : U']v : (x : U)V and Tu : U. We must prove that Tv{x *— > u} : V{x t-> u}. 
By inversion, T,x : U'v : V', T(x : U')V : s', {x : U')V < {x : U)V and 
T(x : U)V : s. By product compatibility, U < U' and V < V. By inversion, 
TU : s\ and TV : S2- By narrowing and subtyping, T,x : Uv : V. Therefore, 
by substitution, Tv{x t—> u} : V{x t— > u}. ■ 

Lemma 14 If Tt : T, T < T' and TT' : s' then TT : s for some s. 

Proof. By type correctness, either T = □ or TT : s for some s. If T = □ 
then, by LemmaQ T' — □ and, by Lemma ITT1 T" cannot be typable. ■ 

Lemma 15 (Unicity of sorting) If T < T' , TT : s and TT' : s' then s = s'. 

Proof. If s = □ then T G /C. By Lemma T' ^* K e K. By Lemma El 
T' e fC and s' = □. By symmetry, if a' = □ then s = □. So, s = □ iff s' = □. 
Since s, s' G S = {*, □}, a = * iff s' = *, Therefore, a = a'. ■ 

5 Strong normalization 

Let 5A/" (resp. WAf) be the set of strongly (resp. weakly) normalizable terms, 
and ti be the normal form of a term t G WW (— > is assumed confluent). 

Definition 16 (Reducibility candidates) We assume given a set CT of con- 
structor terms. 7 A term t is neutral if it is not an abstraction, not a constructor 
term, nor of the form ft with / G VT and \t\ < \l\ for some rule fl r 
We inductively define the set IZt of the interpretations for the terms of type t, 
the ordering <t on IZt, the element T t £ K t , and the functions f\ t and \/ t from 
the powerset of IZt to IZt as follows. If t ^ /C U {□} then: 

7 CT is defined in Definition I2fil 
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-K t = {0}, < t =C and A t (») = Vt(») = T t = 0. 
Otherwise: 

- 7\L S is the set of all the subsets R oiT such that: 
(Rl) i? C 5jV (strong normalization). 

(R2) lit e R then -►(*) C i? (stability by reduction). 
(R3) If t is neutral and — >(t) C i? then t £ R (neutral terms). 
Furthermore, < S =C, T s = SAA, \J S {U) = U 5ft, A s (5ft) = fl K if ^ + 0, and 

A.(0) - T s . 

^ TZ(x:U)K is the set of functions i? from T x to 7^ such that R(u, S) — 
R(u', S) whenever u ^ u' or u = y!_, T( x:U -) K (u, S) — T K , /\( x u)kOR)( u > = 
/\ K ({R(u,S) | R G 5ft}), V(*^)*r(R)(«,S) - Vx(W«.S)'| « G 5R}) and 
<(,:iOif # iff #K S) <k #(u, 5). 
Let (C S) <t (?, 5') iff f = ?, St < SI and, for all j ± i, Sj = S'j. A function R G 
7J,j.jfu is monotone (resp. anti-monotone) in its ith argument if i?(Q) < R{Q') 
whenever Q <j Q' (resp. Q >» Q')- Let 7?.™ be the set of functions R G TZ Tf 
such that i? is monotone in all its arguments i G Mon + (/), and anti- monotone 
in all its arguments i G Mon~(/). 

Lemma 17 (TZt, <t) and (TZf 1 , <t) are complete lattices with T t as their great- 
est element and At(^) as the greatest lower bound of 5ft. Moreover: 

- If 5ft is totally ordered then Vt(^) is the lowest upper bound of 5ft. 

- For all R G TZ S , X C R. 

- If rf : T and (9 : T ~> A then "K T e = 7£ T - 

- If Tt :T then 7e Tp = ftr- 

- The smallest element J_ s = f\ s (TZ s ) only contains neutral terms. 

Proof. The proof is similar to the one for CAC [U]. ■ 

Lemma 18 If FT < V : s then TZ T = TZ T > ■ 

Proof. If s = * then TZt — {0} = TZt- Assume now that s = □. We 
proceed by induction on T < T'. 

(refl) Immediate, 
(symb) Not possible. 

(prod) 'R.( X :u)v is the set of functions from TxTZjj to TZy that are invariant by 
reduction and size substitution. TZ( X :U')V' ls the set of functions from TxTZu' 
to TZy that are invariant by reduction and size substitution. By induction 
hypothesis, TZu — TZu> and TZy = TZy- Therefore, TZ( x: u)v = T^(x:U')v- 

(conv) By induction hypothesis, TZt> = TZu> . Since TZt = TZt> and TZu = T^u', 
we have TZt = TZu ■ B 
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Definition 19 (Interpretation schema) A candidate assignment is a func- 
tion £ from X to (J {IZt | t 6 T}. A candidate assignment £ validates an 
environment T or is a T-assignment, £ |= T, if, for all x G dom(r), ai£ G "fc^r- 

An interpretation for a symbol C € CF is a monotone function 7 from 21 
to 7?.™. An interpretation for a symbol / ^ CF n is an element of 7£™. An 
interpretation for a set £/ of predicate symbols is a function which, to every 
symbol g G Q, associates an interpretation for g. 

The interpretation of £ w.r.t. a candidate assignment £, an interpretation I 
for JF, a substitution # and a valuation v, [tj^'g, is denned by induction on t: 

- [t]£j =T t ifiG0U<S 

- [FJ^ = J F if F e 

- [Ci['e = Jg* if C G CF n 

- Hf,e = 

- [(a : COVlg = {^T|VuG [E7]$,VS G Ru,tu G M^,,} 

- p:rj] u ]^( u ,5) = Hjr e „ 

where 0£ = 9 U {x i-> w} and £f = £ U {x i-> S"}. 

Let J be an interpretation for T . A symbol / is computable if, for all v, 
f ^ I 7 "/! 7 '"- A substitution 6* is adapted to a T-assignment £ and a valuation 
^ £ 7 6> ^„ T, if dom(6>) C dom(r) and, for all x G dom((9), xO G {xT} 1 ^. 
The interpretation is invariant by reduction if, for all v, £, and i, t' G WW, 
[*]& = Wllf whenever * - f . 

Lemma 20 - If R : T and £ h T then G ft T . 

- If -> 0' or = 0' then [t]|£ = [t]£*. 

Proof. The proof is similar to the one for CAC [H]. ■ 

Lemma 21 (Candidate substitution) If Tt : T, 7 : T ^> A and £ |= A then 
[*7lS = with ^ = and 1= r - 

Proof. The proof is similar to the one for CAC [H]. ■ 

Lemma 22 (Size substitution ) im : Tthen [ttp]$ = \tf$ v where a{ipv) = 
{pnp)v. 

Proof. By induction on t. 

- If t is an object, a sort or a symbol / G T* then tip is of the same kind and 
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- [(x : U<p)V<p\$ = {teT\Vue [U<p]$,VS e K Uvi tu e By 
induction hypothesis, [t/pl^'e = {Uf^ v and [^]^ e „ = [V]^„. And 
since TZ Ulp = TZ V , [(x : U^Vip] 1 ^ = {(x : U)Vf£. 

- If T[x : U]v : T then, by inversion, T[x : U]v : (x : U)V for some V, and 
T<p[x : Uip]vip : (x : Uip)Vip. Since TZu v = TZjj and TZy v = Tlv, {[% '■ 
Uf]v(p}^g has the same domain and codomain as {[x : Furthermore, 
[[a; : U(p\v(pj^g(u, S) = [vLpf^^ = l v \[s fi u by induction hypothesis. 

- {tfuvllfi = l^llle (u^pO, = lt\\y v {ue, lu\\'§ v ) by induction hypoth- 
esis and invariance by size change. ■ 

We now define the sets of positive and negative positions in a term, which 
will enforce monotony and anti-monotony properties respectively. 

Definition 23 (Positive and negative positions) The set of positions in a 
term t is inductively defined as follows: 8 

- Pos(s) = Pos(a;) = Pos(/) = {e} 

- Pos((x : u)v) — Pos([x : u]v) = Pos(uw) = l.Pos(u) U 2.Pos(w) 

- Pos(C a ) = {e}U0.Pos(a) 

Let Pos(a;, t) be the set of positions of the free occurrences of x in t, and 
Pos(/, t) be the set of positions of the occurrences of / in t. The set of posi- 
tive positions in t, Pos + (i), and the set of negative positions in t, Pos~(i), are 
simultaneously defined by induction on t: 

- Pos 4 (s) = Pos 4 (a;) = {e\S= +} 

- Pos s {{x : U)V) = l.Pos _5 (I7) U2.Pos <5 (F) 

- Pos 4 ([a: : U]v) = 2.Pos <5 (w) 

- ¥os s {tu) = l.Pos 5 (t) if t ^ ft 

- Pos s (fP) = {ll*1 \5 = +}U U{l |t ~ 1_i 2.Pos e4 (i i ) | £ £ {-,+}, i e Mon £ (/)} 

- Pos 4 (C a t) = Pos s (Ci) U {l^O | <5 = +}.Pos 4 (a). 

where 6 G { — ,+ }, — h = — and = + (usual rule of signs). 

Lemma 24 (Monotony) Let < + =<; <~=>; £ < x £' iff x^ < x£' and, for all 
y ? x, yZ = y?; I < f I' iff I f < I' f and, for all g ^ /, I g = I' g ; v < a v> iff 
av <a a,v' and, for all (3 ^ a, j3v — (3v' . Assume that Tt : T and £, £' \= T. 

- If £ <x f and Pos(x,t) C Pos tf (t) then [t]££ < s \tf/ fi . 
If I < f V and Pos(/,t) C Pos 5 (i) then < 5 [i]^". 

If v < a v' and Pos(a,i) C Pos 4 (i) then {tj 1 ^ < s \t\\^ . 

- If PT < T' : s, T,T' £ WAf and the interpretation is invariant by reduction 
then IT}$ < IT% : ». 

8 It is defined so that Pos(t) C Pos(t). 
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Proof. 

- The first two properties are proved for CAC in pi] and their proofs are still 
valid. 

- We now prove the third property. It uses the same techniques. So, we only 
detail the case * = C a t. Let R = {tf£ g and R' = {tf^ . R = I% v (t9,S) 

with S = [tl^g, and R 1 = I% u '(t9,S') with S = [tj^'. Let n = \t\ and 
i G {1, . . . , n}. If Pos(a, t{) = then Si = Otherwise, since Pos(a, t) C 
Pos 5 (t), there is £; such that i G Mon £l (/) and Pos(a,f i ) C Pos 5 " 5 ^). 
Thus, by induction hypothesis, Si < e * s S' t . Let Q) = {t9,S'j) if j < ft, 
and Q£ = (te,Sj) if j > ft. We have Q° = (t9,S), Q n = (bO,S') and, for 
all ft G {l,...,n}, Q^ 1 < £ k kS Q k . Thus, I^(Q k ^) < e * s I^(Q k ), that is, 
Ic U (Q k l ) ^ S Ic'(Q k ) since e\ = + and symbol interpretations are mono- 
tone in their monotone arguments and anti-monotone in their anti-monotone 
arguments. So, R = I^(Q°) < s I^{Q n ). Now, if Pos(a,C Q ) = then 
au = av' and R < s R' = I^{Q n ). Otherwise, 5 = + and au < a au' 
since Pos(a,et) C Pos + (a). Thus, R < R' since symbol interpretations are 
monotone functions on 21. 

- We now prove the last property by induction on T < T', Let R = [Tj^'g and 

R' = P"]$> 

(refi) Immediate. 

(symb) Let Q = (t9, We have R = I£ U {Q) < R' = Ic(Q) since 

av <a bu and symbol interpretations are monotone on 21. 
(prod) Let t G R, u G [f/'J^'g and S € Ku> . We must prove that to G 

[V"]g 9J ,. By induction hypothesis, {U'f^ < [17]$. So, ti G [f/]^. 

Since 7£j/' = T^f/ and t G i?, to G P^s"^- Now, by induction hypothesis, 

[Vlg fls < [H^V Therefore, to G [V']g er 
(conv) By induction hypothesis, [T'f^ < \U'f^ g . Since T, U G HW and 

the interpretation is invariant by reduction, [T'J^'g = R and [J/']^ = R 1 ■ 
Therefore, R < R' . " " ■ 

Theorem 25 (Strong normalization) If there is an interpretation I invari- 
ant by reduction and such that every symbol is computable then every well-typed 
term is strongly normalizable. 

Proof. One first prove by induction that, if Tt : T then, for all £, v and 
9 such that £ |= V and £, T, then i# G Pl^g. Then, one prove that, if 
x9 = x and x^ = T x r, then £ |= T and £, T. See f° r details. ■ 

6 Constructor-based systems 

We now study the case of CACSA's whose size algebra contains the following 
expressions (at least): 
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a ::= a \ sa | oo | ... 

In case that there is no other symbol, the ordering <a on size expressions 
is defined as the smallest quasi-ordering < such that, for all a, a < sa and 
a < oo. We interpret size expressions in the set 21 = il + 1, where fl is the first 
uncountable ordinal, by taking: 

- sa(a) = 0+ 1 if 0. < fi, and fl otherwise. 

- ooa = ^- 

One can easily imagine other size expressions like a + b, max(a 1 b), ... 

Definition 26 (Constructor-based system) We assume given a precedence 
<r on T , that is, a quasi-ordering whose strict part >y? is well-founded, and 
that every C G CT a with C : (z : V)* is equipped with a set Cons(C) of 
constructors, that is, a set of constant symbols f : (y : U)C a v equipped with a 
set Acc(/) C {1, . . . , \y\} of accessible arguments such that: 

• If there are D —jr C and j G Acc(c) such that Pos(L>, Uj) ^ then V(t/) = 
{a} and a — sa. 

• For all j G Acc(c): 

- For all D >? C, Pos(L>, Uj) = 0. 

- For all D ~jr C and p G Pos(L>, Uj), p G Pos+([/ i ) and Uj\ p = D a . 

- For all p G Pos(a, Uj), p = qO, Uj\ q = Z) Q and L» C. 

- For all x G FV D (J7j), there is l x with = a; and Pos(a;, Uj) C Pos + (J7j). 

• For all F G VT a and Ff^ r G K: 

- For all G >j? F, Pos(G,r) = 0. 

- For all i G Mon <5 (F), ^ G A" D and Pos(Z i7 r) C Pos 5 (r). 

- For all x G FV D (r), there is k x with /fe^ = x. 

A C -constructor term is a term of the form fu with / G Cons, / : (y : U)C a v, 
\u\ = \y\ and Acc(/) ^ 0. Let CT(C) be the set of C-constructor terms. 

The conditions involving l x and k x means that we restrict our attention to 
small inductive types. Strong elimination, that is, predicate-level recursion on 
big inductive types may lead to non-termination JSj- Yet, weak elimination, 
that is, object-level recursion on big inductive types is admissible. As shown 
in [H], it is possible to raise this restriction at the price of not being allowed to 
match defined symbols. 

Among constant predicate symbols, we distinguish the class of primitive 
types that includes all first-order data type like natural numbers, lists of natural 
numbers, . . . Primitive types are not polymophic but they can have primitive 
dependancies like the type of arrays of natural numbers. 

Definition 27 (Primitive types) A symbol C G CT D is primitive if tq — 
(z : V)*, {£} C X* and, for all D C, for all constructor / : (y : U)D sa v 
and for all j G Acc(/), either Uj = E°°t with E <jr C and E primitive, or 
Uj = E a t with E C. The size of a term t in a primitive type C is defined 



14 



as follows. If t is a constructor term fu with / : (y : U)C sa v and, for all j £ 
Acc(/) such that Pos(a, Uj) ^ 0, Uj = Cfv\ then \t\ c = 1 + max{ IwjIeT, I 3 & 
Acc(/),Pos(a, C/j) ^ 0}. Otherwise, |t| c = 0. 

We define the interpretation of predicate symbols by induction on >jr. 

Definition 28 (Interpretation of defined predicate symbols) Assume 
that F : (x : f)U. We take I F (t, S) = [r]| )CT if t£ WAT, t[= Ta, Fl-> r £ K 
and x£ = S Kx . Otherwise, we take Zf(*j S) — Tjj. 

Thanks to Lemma [21 one can easily check that I is monotone in its mono- 
tone arguments. The well-foundedness of the definition is a consequence of the 
correctness of the termination criterion. 

We now define the interpretation of a constant predicate symbols by trans- 
finite induction on a £ 21. 

Definition 29 (Interpretation of constant predicate symbols) 

- Ic{S) g is the set of u € S/V such that u never reduces to a C-constructor 
term. 

- Iq +1 (S) is the set of terms u G SJ\f such that, if u reduces to a constructor 
term fu with / : (y : U)C sa v then, for all j £ Acc(/), Uj £ pjf£ 9 with 
y£, = S Ly , y9 = u and av — a. 

- I b c = Ar c ({ 7 c I a < b}) if b is a limit ordinal. 

Let K a c (S) = I£(S)nCT(C) and, for t £ I%{S), let o C{g) (t) be the smallest 
ordinal a such that t £ Iq(S). 

The interpretation is well defined thanks to the assumptions made on Uj 
when j is accessible. 

Lemma 30 If fu £ K2(S) then o c ,gs(fu) is a successor ordinal. 

Proof. Assume that a = o G ,gJfu) is a limit ordinal. Then, Iq(S) = 
| b < a} and ta £ Ic(S) for some b < a, which is not possible. Now, 
o ^ since K^(S) — 0. Therefore, a is a successor ordinal. ■ 

Lemma 31 I is monotone. 

Proof. We prove that a < b => I a < I b by induction on a. 
• a = 0. 

- b = 0. Immediate. 

9 We do not write t since the interpretation does not depend on it. 
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- b = b' + 1. By induction hypothesis, 1° < I b . We now prove that I b < 
I +1 . Let t E Iq (S). Then, £ G SJV. Assume now that £ reduces to a 
constructor term fu with / : (y : U)C sa v. By LemmaEOl t G I C +1 (S) for 
some c < b', Let j G Acc(/). Then, u 3 G p7j]£ e with y£ = S Ly , yO = u 
and av — c. After the conditions on Uj, by Lemma, l2H [C/j]^ Q Wjl^e 
where afi = b' . Thus, £ G 

- b is a limit ordinal. By induction hypothesis, 1° < I b for all b' < b. Thus, 
I°<I b . 

• a = a' + 1. 

- b = 0. Not possible. 

- b = b' + 1. Then, a' <b'. Let £ G !£(£). Then, £ £ 5JV. Assume now that 
£ reduces to a constructor term /u with / : (y: U)C sa v and let j G Acc(/). 
Then, Uj G g with y£ = S Ly , yd = u and av = a'. After the conditions 

on Uj, by LemmaEl [Uj]£ g C [£/,-] £ e where a M = b'. Thus, £ G /£(£). 

- b is a limit ordinal. Then, a' < b' for some b' < b and we can conclude by 
induction hypothesis. 

• a is a limit ordinal. 

- b = 0. Not possible. 

- b = b' + 1. Then, a < W and we can conclude by induction hypothesis. 

- b is a limit ordinal. Then, for all a' < a, a' < b, and we can conclude by 
induction hypothesis. ■ 

Lemma 32 (Primitive types) Let C be primitive type. If a > u> then I c = 

T TC . Otherwise, I C (S) = {£ G SAT | |£|| c < a}, that is, o c(s - } (£) = |tl| c . 

Proof. We proceed by induction on C with as well-founded ordering. 

Let J c = {£ G SM | \t{ \c < a}. Since primitive types are not polymorphic, 
every Si = 0. So, we can drop the arguments S. Note also that \t\c < \t'\c 
whenever £ — > £' (since Cons C £F). 

We first prove that, for all a < uj, if oc(t) = a then |£| \c = ct. 

- a = 0. If o c (£) = then £ G C J° . Thus, |£| | c = 0. 

- a = a' + 1. If o c (£) = a' + 1 then £ G \ Since t<£l c ,t reduces to a 
constructor term fu with / : (y : U)C sa v. Let j G Acc(/). Then, iij G [E/j]£ fl 
with y£ — S Ly , y6 = u and av — a'. Moreover, either Uj = C"w J with 
Cj ~jf C, or J7j = Cfv 3 with C. In the former case, Uj G I c .. Thus, 
°Cj{uj) < a' and, by induction hypothesis, oCj{uj) — \Uj\, \c t . Therefore, 
oc{t) = \t{\. 

Thus oc(t) = \t I \c and, for all < u>, I c = Jq, We now prove that 
= Jg = 57V. Let £ G \ ig. Since t (£ I c , t reduces to a construc- 

tor term /u with / : (y : U)C sa v and, for all j G Acc(/), Uj G Jf/j]^ with 
y£ = 'S'lyj yO — u and ai/ = w. Thus, for all j G Acc(/), there is Oj < such 
that G [fjl/g with a^j = Oj. a = max{aj | j G Acc(/) is well defined since 
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Acc(/) ^ and a < u> since Acc(/) is finite. Thus, t G C Ig. ■ 

We now give general conditions for every symbol to be computable, based on 
the fundamental notion of computability closure. The computability closure of a 
term t is a set of terms that can be proved computable whenever t is computable. 
If, for every rule fl — > r, r belongs to the computability closure of Z, then rules 
preserve computability, hence strong normalization. 

In pi], the computability closure is inductively defined as a typing relation 
c similar to except for the (symb) case which is replaced by two new cases: 
(symb < ) for symbols strictly smaller than /, and (symb = ) for symbols equivalent 
to / whose arguments are structurally smaller than I. 

Here, we propose to add a new case for symbols equivalent to / whose 
arguments have sizes strictly smaller than those of Z. For comparing the sizes, 
one can use metrics like in |42j . 

Definition 33 (Ordering on symbol arguments) For every symbol f : (x : 
T)U , we assume given two well-founded domains, (Df, >f) and (D*f, >f), and 
two measure/metric functions ( A '■ A n ~ * Df and (f : 21™ — ► D% (n = \x\) such 
that (Df, >f) = (Df, >f) (X G {A, 21}) whenever / g, and we define: 

- a l j = a if Ti = C a v, and — oo otherwise. 

- (/, <p) > A (g, i,) i&f>rgorf^g and (f(a flf ) >f (f(a g ^). 

- (f, v) > a (g, /x) iff / >t 9 or / ~r g and Cf(3fv) >f C,f(d gi i). 

Then, we assume that > A is decidable and that (for all v) (/, ipv) > a (g, tpv) 
whenever (/, ip) > A (g,ip). 

Example 2 (Lexicographic and multiset status) A simple metric is given 
by assigning a status to every symbol, that is, a non-empty sequence of finite 
multisets of strictly positive integers, describing a simple combination of lexi- 
cographic and multiset comparisons. Given a set D and a status £ of arity n 
(biggest integer occurring in it), we define {Qd on D n as follows: 

- [Mi . . . M k ] D (x) = ({M4>B(x), lM k fS(x)) 

- [{h, ■ ■ - 5 * P }]S(^ = fain- ■■i x ip} (multiset) 

Now, take (f = [C/]x, Df = Cf (X n ) and >f= ((>x)mui)icx. 

For building the computability closure, one must start from the variables 
of the left hand-side. However, one cannot take any variable since not every 
subterm of a computable term is computable a priori. To this end, based on 
the definition of the interpretation of constant predicate symbols, we introduce 
the notion of accessibility. 

Definition 34 (Accessibility) We say that u : U is a-accessible 10 in t : T, 
written t : T > Q u : U, iff t = fu, f e Cons, / : (y : U)C sa v, \u\ = \y\, 
10 We may not indicate a if it is not relevant. 
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u = uj, j G Acc(/), T = C sav v^f, U — Ujjcp, 7 = {y i— > u}, <p = {a a} and 
Pos(a, u) = 0. 

A constructor c : (y : U)C a v is finitely branching 11 iff, for all j £ Acc(c), 
either Pos(a, [Ty) = or there exists D such that C/j = D a u. We say that u : U 
is strongly a-accessible in t : T, written t : T [> a u : U, iff t : T \> a u : U, / is a 
finitely branching constructor and Pos(a, Uj) ^ 0. 

We say that u : U is ^-accessible modulo <p in t : T, written t : T ^ v u : [/, 
iff either t : T<p = u : U and <p|v(T) is a renaming, or f : Ty> \>* \> t u :U for some 
size variable e. 

Definition 35 (Termination criterion) Let (fl — > r, r, i/j) 6 7?. with / : 
(x : T)U and 7 = {x 1— > Z}. The computability closure associated to this rule 
is given by the type system of Figure on the set of terms T^{T' , X') where 
T' = T U dom(r), X' = X \ dom(r) and, for all x G dom(r), t x = xT and 
x <jf /. The termination conditions are: 

• Well-typedness: for all x G dom(r), c Zi : Tiipj. 

• Linearity: V is linear w.r.t. size variables. 

• Accessibility: for all x G dom(r), there are i and j3 such that U : Tij ^> v x : 
xT 12 Ti = CH and V(i) = 0. 

• Computability closure: c r : U<p-f. 

• Positivity: for all a G V(f), Pos(a, U) C Pos + ([7). 

• Safeness: 7 is an injection from dom D (T/) to dom D (T). 

Note that, if Aji : T then T, At : T. Hence, the well-typedness condition 
implies that 7 : Tfip V and thus that the left hand-side is well-typed: Tfl : 

U tfTf. 

The positivity condition on the output type of / w.r.t. size variables appears 
in the previous works on sized types too. In Abel gives an example of a 
function which is not terminating because it does not satisfy such a condition. 
This can be extended to more general continuity conditions |2<SI and is indeed 
necessary (see Example EJ. 

As for the safeness condition, it simply says that one cannot do matching 
or have non-linearities on predicate variables, which is known to lead to non- 
termination . It is also part of other works on the Calculus of Constructions 
with inductive types [36 j and rewriting [40 . 

The positivity, safeness and accessibility conditions are decidable. For the 
conditions based on the computability closure, we prove the strong normaliza- 
tion in Section 

Let us now see some examples. 

Example 3 (Division on natural numbers, Figure |J) Take the types not : 
*, : nat°, s : nat a => nat sa , — : nat a nat (i => nat a and / : nat a => nat 13 => 

11 Primitive types are finitely branching. 

12 This implies in particular that every xr is of the form C £ t with e£2. 
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Figure 5: Computability closure of fl — ► r with / : (x : T)U and 7 = {x 1— > 1} 
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nat a , with Acc(s) = {1}. All positivity conditions are clearly satisfied. Safeness 
is immediate (there is no predicate variables). For the other conditions, we only 
detail (3) and (5). 

• For (3), take r_ = p : nat a ,q : nat 13 , (-(a, (3) = a, T = x : nat s ,y : nat e , 
7= {pH sx, q 1 ► sy}, ip = {a 1— ► sS, (3 1— ► se} and s <r — . 

- Well-typedness: By (symb), c a; : nat 5 and c y : nat e . Thus, by (symb), 
c sx : nat sS and c sy : nat se . 

- Accessibility: One can easily check that sx : nat sS x : nat 5 and sy se 
y : nat e . 

- Computability closure: By (symb), c a: : nat 5 and c y : nat e . By (symb), 
c — xy : nat 5 since £_(<5, e) = 6 < (-(s5,se) = sS. Thus, by (sub), c — xy : 
nat sS . 

• For (5), take V 1 = p : nat a ,q : nat 13 , (/(a, (3) — a, T = x : nat 3 ,y : nat e , 
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7 = {p i— » g i—* y}, (/? = {a s<5, /? e} and — <jf /. 

- Well-typedness: By (symb), c a: : nat 5 and c y : nat e . Thus, by (symb), 
c sx : nat sS . 

- Accessibility: One can easily check that sx : nat sS x : nat 5 and y : 
nat e y : nat e . 

- Computability closure: By (symb), c x : nat 5 and c y : nat e . By (symb), 
c — xy : nat s . By (symb), c / (—xy)y : nat 5 since Q(6, e) = S < (/(s5, e) = sS. 
Thus, by (symb), c s(/(— xy)y) : nat sS . 

Example 4 (Addition on Brouwer's ordinals, Figure l2]l Take the types 
ord : *, : nat , s : nat a =>• nat sa , lira : (nat =>■ ord a ) =>■ ord sa and + : 
nat a nat 13 =4> nat°° , with Acc(s) = Acc(Zim) = {1}. All positivity conditions 
are clearly satisfied. We only detail rule (3). Take T + = p : ord a ,q : ord", 
C+(a,/3) = a, r = / : nat 00 => ord 5 ,y : ord 1 , 7 = {p 1— > limf,q y}, 
99 = {q 1— > s<5, /3 e} and s, Urn <jr +. 

- Well-typedness: By (symb), c / : nat°° =>• ord 5 and c y : ord e . Thus, by (symb), 
c limf : ord sS . 

- Accessibility: One can easily check that limf : ord sS ^5> v f : nat°° => ord s 
and y : ord 11 ^> v y : ord e . 

- Computability closure: By (symb), c / : nat 00 =>• ord 6 and c y : ord e . Let 
A = x : nat°°. By (var), 4^ : nat°° . By (weak), 4/ : nat°° => ord 8 and 
4y : ord e . By (app), 4/£ : ore?" 5 . By (symb), 4 + (f%)y : ord°° since 
C+(£,e) = <5 < C+(s^) = s $- By (abs), c [ir : nat°°](+(fx)y) : (x : nat°°)ord s . 
Thus, by (symb), c lim([x : nat 00 ](+(fx)y)) : ord sS . 

Example 5 (Quick sort, Figure [6]) Take the types bool : *, true : bool°°, 
false : bool°°, list : *, nil : list , cons : nat°° => list 01 =>• list sa , blist : 
pair : Zist Q list? =>■ blist max{ - a 'P\ fst : blist 01 => list 01 , snd : blist a =>• list 01 , 
<: nat 00 =$> nat°° =>• 600Z 00 , pivot : nai°° =*> Zisi Q blist 01 , qs : list 00 => 
list 00 => Hsi°° and gsori : list 00 =4> list 00 . We only detail the computability 
closure condition of rule (11). 

Take ( qs (a,/3) — a, T = x : nat°° ,1 : list 5 , 1' : list e , ip — {a >— > s<5, /3 h-> e} 
and os >jf pwot >jr cons, pair, fst, snd. By (symb), c x : nat°°, c l : list 5 and 
c ?' : Zzst e . By (symb), c pivot x I : blist 5 . By (symb), c it : Hst" 5 and c w : list 5 . By 
(symb), c gs u V : list 00 . By (symb), c cons x (qs v I') : list 00 . Thus, by (symb), 
c qs u (cons x (qs v I')) : list 00 since Cgs(<^ °o) = £ < Cjs( s ^j e ) = s $- 

Note that we cannot take qs : list a =>■ Hst' 3 ^> list a+ @ and thus gsort : 
Hst Q => Zisi" since too much information is lost by taking pair : list a 
list 13 =>• blist max( - a ' l3 '> . Even though we take pair : Hst Q /isi' 3 blist^ 
with (a,/3) interpreted as a pair of ordinals, the current setting does not allow 
us to say that pivot has type nat°° =>- list" => blist^' 1 ' for some /3 and 7 such 
that /3 + 7 = a, as it can be done in Xi's framework |42j . 

The following examples are taken from |25j . 
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Figure 6: Quick sort 



(1) 


fst (pair x y) 


— > X 


(2) 


snd (pair x y) 


-> V 


(3) 


< Oi 


— » true 


(4) 


< (s x) 


— » false 


(5) 


< (s x) (s y) 


-» < x y 


(6) 


if true x y 


— » a; 


(7) 


if false x y 


-> y 


(8) 


pivot x nil 


— > pair m* 


(9) 


pivot x (cons y I) 


- »/ (< J 



(10) gs niZ I 

(11) gs (cons x I) I' 



(12) 



gsort i 



I nil 



where u = fst (pivot x I) and v — snd (pivot x I) 
I 

qs u (cons x (qs v I')) 

where u = fst (pivot x I) and v = snd (pivot x I) 
qs I nil 



Figure 7: Paulson's normalization of ^/-expressions 



(1) nm at — » at 

(2) nm (if at y z) — » if at (nm y) (nm z) 

(3) nm (if (if u v w) y z) — > nm (if u (nm (if v y z)) (nm (if w y z))) 



Example 6 (Paulson's normalization of i/-expressions, Figure ITjl Take 

the types expr : *, at : expr 1 , if : expr a =>■ expr^ =>■ expr 1 =>■ expr a ( 1+l3+ ' lS> and 
nm : expr a =>■ expr a . We only detail the computability closure condition of rule 
(3). Take Cnm( a ) = a, T — u : expr a ,v : expr^ ,w : expr" 1 ,y : expr 8 , z : expr e , 
v = a(l + P + 7)(1 + 5 + e), ip = {a i— » v} and nm >jr at, if. Then, 
one can check that v is strictly greater than (3(1 + 5 + e), 7(1 + 5 + e) and 
a(l + (3(1 + 5 + e) + 7(1 + 5 + e)) if variables are interpreted by strictly positive 
integers. 



Example 7 (Huet and Hullot's reverse function, Figure [HJ Take the types 
revl : nat°° =>■ /ist°° =>• nat°° , rev2 : nat°° =>• /isi' 3 =4> Zisi' 3 and rev : 
list a => Hsi Q . We only detail the computability closure condition of rule (4). 
Take ( re v(a) = 2a, ( r ev2(a,(3) = 2/3 + 1, T = x : nat°°,y : nat°°,l : list 5 , 
if = {(3 i— > 8 + 1} and rev rev2 revl cons, nil. Then, one can 
check that ( r ev2(oo, 5+1) = 25 + 3 is strictly greater than ( re v2(oo, 5) =25+1, 
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Figure 8: Huet and Hullot's reverse function 

(1) revl x nil — > x 

(2) revl x (cons y I) — > revl y I 

(3) rev2 x nil — * nil 

(4) revl x (cons y I) — > reu (cons x (rev (rev2 y I))) 

(5) rev nil — > niZ 

(6) rei> (cons x Z) — > cons (revl x Z) (rei;2 x Z) 



Cret>(<f) = 2 <5 and (rev(l + 5) = 25 + 2. 



Figure 9: Mac Carthy's "91" function 

(1) fx -> / (/ (+ x 11)) if < i 100 = true 

(2) / x -»• - x 10 if < x 100 = /aZse 



Example 8 (Mac Carthy's "91" function, Figure [9]) Mac Carthy's "91" 
function / is defined by the following equations: f(x) = f(f(x + 11)) if x < 100, 
and f(x) — x — 10 otherwise. In fact, one can prove that / is equal to the 
function F such that F(x) = 91 if x < 100, and F(x) — x — 10 otherwise. 
A way to formalize this in CACSA would be to use conditional rewrite rules 
(see Figure and take 13 / : nat a =>• nat F ^ and C,f(x) — max(0, 101 — x) as 
measure function, as it can be done in Xi's framework. Then, by taking into 
account the rewrite rule conditions, one could prove that, if T = x ; nat s and 
< x 100 = true, then 8 < 100, C/(* + H) < C/(<*) and (f(F(6)) < Q(5). 

7 Termination proof 

We first prove some lemmas for proving the correctness of accessibility w.r.t. 
computability (accessible subterms of a computable term are computable) . Then, 
we prove the correctness of the computability closure (every term of the com- 
putability closure is computable) and the computability of every symbol, hence 
the strong normalization of every well-typed term. 

Lemma 36 (Accessibility properties) 

(1) Ift:T\> k u: D e u then T = C ske t. 

(2) If t : C p t > v u : U then there are e 6 Z and k > such that flip = s k e. 

13 Note that F(a) is monotone w.r.t. a. 



22 



(3) If t : T > u : U, ta G Kq(S) then o c ,g^{t) is a successor ordinal. 

(4) If t : T > u : U and ta G I&0) then ucr £ for some D and S ?/ . 

(5) Let f : (y : U)C sa v be a finitely branching constructor such that, if 
j e Acc(/) and Pos(a,Uj) ^ then Uj = C?u>, If fu G then 
°c(s)(fty ~ max {°c j (Si)^ u ^ I e Acc(/),Pos(a, Uj) ^ 0} + 1, where 
5 J = u£ = S Ly ,y9 and ai/ = a. 

(6) If t : T E> fe > u:U and to G ^(5) then <W } (t) = a + k + 1 for some a. 

(7) If * : T >* u : U and ta G [T]^ then ua G [C/]^. 

Proof. 

(1) By induction on For k = 0, this is immediate. Assume now that i : 
T[> fc u : F[> a u : D e u. Then, a = e and V = E se vj. Therefore, by 
induction hypothesis, T — G s e t. 

(2) There are two cases. 

- t : C^ip = u : U and <P|v(T) is a renaming. Take e = /3<p and k = 0. 

- t : C^V t> fc t> : y > e u : U. Then, V = L» sc w and, by (1), f3ip = s k+1 e. 

(3) By Lemma EDI 

(4) By (3), we can assume that ta G By Definition 1231 zt, G [?7j]£ e 
with y£ — S ly , yd = u and av = a. By definition of >, Uj = D a u. Thus, 
Uj G with 5' = [u]^. 

(5) By (3), we can assume that fu G Iq +1 (S), By (4), for all j G Acc(/) such 
that Pos(a, ?/,•) 7^ 0, it? G Iq. (£■?). Let Oj = o c .(gi\(%)- Since a is as small 
as possible, we must have max{aj \ j G Acc(/), Pos(a, Uj) ^ 0} = a. 

(6) By induction on k. For k = 0, this is (3). Assume now that t : T\> u : 
Uf> k > u : V. By (4), for all j G Acc(/), u^cr G I^i^)- Let Oj = 
°C (§i)( u 3 cr )- ^ induction hypothesis, Oj = faj + k + 1. Therefore, by (5), 
°c(S)( icr ) = &j + + 2 for some bj. 

(7) By induction on the number of [>-steps. If there is no step, this is immedi- 
ate. Assume now that t : T> a u : U >*v : V and acp — a. Since T = C sav vj, 
int* = Ic W+ \S) with S = \&i\l a . Therefore, ua G [Ujj^ a with 
yrj = S Ly . Since v Ly = y, y-q = [2/7] = [yi\% yB . since Pos(a,7) = 0. So, 
by candidate substitution, [P^ = [?7j7]££ = Therefore, by 
induction hypothesis, va G [V]^ a . ■ 

Theorem 37 (Accessibility correctness) If t : T ^§> v u : U, T — C^t, 
V(i) = and ta G then there exists v such that (3<pv < (3u and 

ua G [C/] ? V 

Proof. There are two cases: 
• t : Tip — u : U and ¥>|v(T) is a renaming. Let v = </3j^ T ^. @ipv — f3u and 
ua — ta E [T\l a - [T^]^. 
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• t : Tip E>*u : U t> £ v : V. By definition of > e , U = D st u. By Lemma 137)1 
(1), flip = s k+1 e. By (6), there exists a such that a + k + 1 < flfi and 
to G l£ +k+x (S). Let ez/ = a. Then, flipv = s k+1 eu = a + k + 1 < flfj,, 
to G [T^, and, by (7), ua G pV]£ j(T . ■ 

Theorem 38 (Correctness of the computability closure) Let (// — * r,T, 
<p) G TZ, / : (x : T)U and 7 = {x 1— » I}. Assume that, for all (g, n) < a (/, (pi/), 
g G [t b Y. H 4* : T and £, o \= U T,A then to G [TJ^ 

Proof. By induction on Z^fj : T. We only detail the case (symb). Since 
(g,ip) < A (f,ip), (g,ipv) < a (f,(pv). Hence, by assumption, g G [r ff ]^ I/ . Now, 
by induction hypothesis, y^tr G [t^Wlgo-- By candidate substitution, there 
exists 77 such that {UtpSJ^ = [U^ M - B Y size substitution, {U^Y vM = 
[U}^ Sa . Therefore, gySo E{V\^ 5<J = [F#] ? V 

Lemma 39 (Computability of symbols) For all / and fl, / G [t/J^ 1 - 

Proof. Assume that r/ = (x : T)U with J7 distinct from a product. / G 
[t/] m iff, for all 77, such that 77, 9 |= M T/, /x# G {Uj^ e . We prove it by induction 

on ((/, fj), 9) with (> a , — Oiex as well-founded ordering. Let U — XiO and t — ft. 
By assumption, for every rule fl^r^TZ, \l\ < \t\. So, if / ^ Cons then t is 
neutral and it suffices to prove that — >(t) C [J7]^ e . Otherwise, = I^f(S) 

with 5 = [^]^ e . Since 77, |= M T/, tj G Pj]^ e . Therefore, in this case too, it 
suffices to prove that — >(i) C [E/]^ e . 

If the reduction takes place in one t% then we can conclude by induction 
hypothesis. Assume now that there exist (I r,T,(p) € TZ and o such that 
t = lo. Then, I — fl and 9 — 70" with 7 = {x 1— » 

We now define £ such that = [E/ 7 ]£ CT and [fj^ = pV]£ By 

safeness, 7 is an injection from dom (Tf) to dom (r). Let y G dom (r). 
If there exists x G dom(r/) (necessarily unique) such that y = xj, we take 
y£ = 3:77. Otherwise, we take yt; = T y r- 

We check that £ |= T. If y ^ x-y, y£ — T y r G T^r- If y = x l then 
y£ = Since 77 |= T/, £77 G 1Z x t s - Since 7 : Tfip ~> T, : xFftpj. Therefore, 
yT < xTftpj and TZ yT = TZ x t sv1 = TZ x r r So, £ h r - 

Now, by candidate substitution, [E/7]^ CT = \U\^, 7cr with £77' = [x7]^ i<T . Let 

x G FV(T{7). By safeness, £7 = 77 G dom D (r) and xr/ = y£ = 2:77. Therefore, 
77' = 77. 

We now prove that £, o \= v V for some valuation v such that ipv < fl. Let 
,t G dom(r). By assumption, there exists i such that U : Tij ^> v x : xT, 
Ti7 = C /3m u and V(u) — 0. By Lemma ESI (2), there is e x and k x such that 
/3;e^ = s kw e x . Since ^cr G [2i7]f,o-j by Theorem there exists v x such that 
xo G [xrjc^ and (3 x ipv x < f3 x fj,. Since T is linear w.r.t. size variables, e x ^ e y 
whenever x ^ y. So, we can define v by taking e x v = e K 7/ x . Then, /S^tjCi/ = 
s km e x v = s k *t x v x = /3 x tpis x < (3 x fi. 
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Therefore, since c r : Uipj, by correctness of the computability closure, ra £ 

\Pfi\la = W<P\nfi = PTnft < Pile sinCe , fOT a11 «. P ° S ("> CO C P0S+(C7). ■ 

Theorem 40 (Strong normalization) Every well-typed term is strongly nor- 
malizable. 

Proof. The invariance by reduction is proved in [TJ]. Hence, we can con- 
clude by Theorem ESI and Lemma OHH B 

8 Conclusion 

The notion of computability closure, first introduced in ^2] and further extended 
to higher-order pattern-matching higher-order recursive path ordering [29 , 
type-level rewriting Q and rewriting modulo equational theories [2J, again shows 
to be essential for extending to rewriting and dependent types type-based termi- 
nation criteria for (polymorphic) A-calculi with inductive types and case analysis 
|2H1 El 03 El ■ In contrast with what is suggested in 0, this notion, which is 
expressed as a sub-system of the whole type system (by restricting the size of 
arguments in function calls in some computability-preserving way, see Figure 
HJ), allows pattern-matching and does not suffer from limitations one could find 
in systems relying on external guard predicates for recursive definitions. 

Moreover, we allow a richer size algebra than the one in jSHH^JG] (see Section 
HJ. But, we do not allow existential size variables and conditional rewriting that 
are essential for capturing for instance the size-preserving property of quicksort 
(Example^) and Mac Carty's "91" function (Example|HJl respectively, as it can 
be done in Xi's work [42j. Such extensions should allow us to subsume Xi's work 
completely. More generally, it is important to have a better understanding 
of the differences between Xi's work which does not use subtyping (but has 
existential size variables and singleton types) and the other works that are based 
on subtyping. 

In this work, we assume that users provide appropriate sized types for func- 
tion symbols and then check by our technique that the rewrite rules defining 
these function symbols are compatible with their types. An important exten- 
sion would be to infer these types. Works in this direction for ML-like languages 
are [321 1431 H7] . The exact relations between these works and with refinement 
types also |33l I22j still have to be investigated. Note also that deciding the 
non-size- increasing property of some functions is investigated in |23ll24] . 

We made two important assumptions that also need further research. First, 
the confluence of j3 U 1Z, which is still an open problem when 1Z is confluent, 
terminating, non left-linear and contains type-level rewrite rules. Second, the 
preservation of typing under rewriting (subject reduction for 1Z), for which we 
need to find decidable sufficient conditions (see Example QJ. 

Finally, by combining rewriting and subtyping in the Calculus of Construc- 
tions, this work may also be seen as an important step towards the integration of 
membership equational logic 133 an d dependent type systems. Previous works 
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in this direction are |?SI H31I37| . 
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9 Elimination of transitivity 

In this section, we prove Theorem by following Chen's technique |15j . 
Lemma 41 < is equivalent to the relation <' where (symb) is replaced by: 

C b t< T 
(Symb,) C a t<T ( a - Ab > 

Proof. <C<' : Assume that a < A b. By (refl), CH <' C b t. Hence, by 
(symb'), C a t<J CH. <'C<: Assume that C a t <' T since C b t <' T and a < A b. 
By induction hypothesis, C b t < T. By (symb), C a t < C b t. Therefore, by 
(trans), C a t < T. ■ 

Note that the following two subtyping rules are clearly admissible: 

T [V V < U 



(left) 
(right) 



T <U 

T<U' U' I U 
T < U 



For representing the subtyping deductions, we introduce the following term 
algebra: 

d ::= J- | I | Sd \ Cd \ Ld | Rd \ Pdd | Tdd 

where _L stands for some impossible case, / for (refl), S for (symb'), C for (conv), 
L for (left), R for (right), P for (prod), and T for (trans). 

We now prove that the transformation rules of FigurelTolaxe valid, that is, a 
deduction matching a left hand-side can be replaced by the corresponding right 
hand-side. 

(a) Cx -> R(Lx) 

T IT' T' < U' U' | U 
— C 

T < U 
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can be transformed into: 

T IT' T' < U' 



L 



T <U' U' [U 
— R 

T <U 

(b) R(Rx) -> Rx 

T<U' U' I U 

R 

T <U U iU" 
R 

T < U" 

can be transformed into: 

T <U' U' i U" 



R 



T < U" 

by confluence of — >. 

(c) L{Lx) — ► Lx 
Like (b). 

(d) L(Rx) R(Lx) 

T' <U' U' i I' 
TIT' T' <U 

T <U 

can be transformed into: 

T IT' T' < U' 



R 



L 



T < U' U' \U 
R 

T < U 

Note that the inverse transformation R(Lx) — > L(Rx) is valid too. 
(e) Tlx x 



T <T T <U 

T 

T < U 

can be transformed into: 

T <U 

(f) T(Sx)y -> S(Txy) 

C b t< T 

S 



C a t < T T <U 
T 

C a t < U 

can be transformed into: 

C b t< T T <U 

■ T 



C b t < U 

— ^—s 

c a t < u 



30 



(g) T(Lx)y - L(Txy) 

T [T 1 T' <U 

T <U U < V 

T 

T < V 

can be transformed into: 

T' < U U < V 



TIT' T' < V 

~—L 



T < V 

(h) T{RI)x -» Lx 



T <T TIT' 

R 

T <T' T' <U 
T 

T < U 

can be transformed into: 

T | T' T' <U 



T <U 

(i) T(R(Sx))y - S(T(Rx)y) 
C b t< T 



C a t < T TIT 1 

R 

C a t < T' T' <U 

= T 

C a t < £7 

can be transformed into: 

C b t < T T IT' 



R 



C b t< T' T' < U 
iT= T 

— = 

C a t < U 

(j) T(R(Lx))y - L(T(Rx)y) 

By combination of (g) and the inverse of (d). 
(k') Txi x 

Like (e). 

(1) T(R(Pxy))(Sz) - JL 

[/'<[/ V < V" 
p 

(x : ?7)y < (x : C^')V" (x : U')V [ C a t C b t < T 

~ ' (x : U)V < C a t C a t<T 

(x : U)V < T 

is not possible since (x : U')V and C a t have no common reduct since C is 
constant. 
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(n') Tx(Ry) R(Txy) 

U < V V' IV 
T < U U < V 



R 



T < V 

can be transformed into: 

T < U U < V 

■T 



T < V' V' I V 

R 



T < V 

(m') T(Rx)(Ly) ^ Tx(Ly) 

T <U U i U' U' | U" U" < V 

R L 

T <U' U' < V 

T 

T < V 

can be transformed into: 

U i U" U" < V 



T < U U < V 
T 

T < V 

by confluence of — ». 

(p) T{R{Pxy)){Pzt) - P(Tz(Lx))(Ty(Lt)) 

U 2 < U x Vx< V 2 

P 



[x : Ui)Vi < {x : U 2 )V 2 (x : U 2 )V 2 | (x : U 3 )V 3 U A <U 3 V 3 <V 4 

~ (x : U^V < (x : U 3 )V 3 {x : U 3 )V 3 < {x : U^Vi 

(x : U^V < (x : U 4 )V 4 

can be transformed into: 

U 3 i U 2 U 2 < U x V 2 i V 3 V 3 < V 4 

U 4 <U 3 U 3 < U x ' Vx <V 2 V 2 < V 4 
T T 

U 4 <Ux Vx< V 4 

P 

(x : Ux)Vx < (x : U 4 )V 4 

(r) T(Pxy){Sz) -> JL 

Like (1). 
(s') Tx(LI) Rx 

Like (h). 
(t) T(Pxy)(L(Sz)) - ± 

Like (1). 

(u) T(Pxy)(L(Pzt)) -> P{Tz{Lx)){Ty{Lt)) 
Like (p). 

(w) T{Pxy){Pzt) -» P{Tzx){Tyt) 
Like (p). 
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The above rules form a terminating rewrite system. For L and R, the recur- 
sive calls are strictly smaller (take L < R). For Tuv, the measure (|w| + |i;|,|v|), 
where |u| is the size of u, strictly decreases lexicographically. Now, it is easy to 
see that T occurs in no normal form of Tuv if u and v are closed terms (T is com- 
pletely defined). We proceed by induction on the measure. The only undefined 
cases for T are T(R(Pxy))(Tzt), T(Pxy)(L(Tzt)), T(Pxy)(Tzt) and T(Txy)z. 
By induction hypothesis, T occurs in no normal form of Tzt or Txy. Therefore, 
we fall in the defined cases and we can conclude by induction hypothesis. 



10 Expansion elimination 

In this section, we prove Theorem by following Chen's technique We 
introduce the following term algebra for representing the sub typing deductions: 

d::= I | S | Ed \ Rd | Pdd 

where _L stands for some impossible case, I for (refi), S for (symb), C for (conv), 
E for (exp), R for (red), and P for (prod). 

We now prove that the following transformation rules are valid, that is, a 
deduction matching a left hand-side can be replaced by the corresponding right 
hand-side. 

(a) E(Rx) -> R(Ex) 

(b) E(Pxy) -» P(Ex)(Ey) 

(c) EI -> RI 

(d) ES -> RS 

(e) E(Ex) -> Ex 

(a) E(Rx) -> R(Ex) 

Assume that we have the following deduction: 

rjif rj-iff ^ J^J^ *^ TJ? 

— — = R 

T *<— T < U' -►* U 

E 

T <U 

By confluence, there exist T'" and U'" such that T ->* T'" * <- T" and 
U —** U'" *<— U" . So, the deduction can be transformed into: 

= E 

R 

T <U 

(b) E(Pxy) -> P(Ex)(Ey) 

Assume that we have the following deduction: 

C < A B < D 
P 

T *<— (x : A)B < (x : C)D ->■* U 

E 

T < U 
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Then, T = (x : A')B' with A ->* A' and B -►* B' , and U = (x : C")£>' 
with C ^* C" and I? — >* So, the deduction can be transformed into: 

C' *<— C < A^* A' B' **— B < D -►* D' 

C <A' B' < D' 
P 

T <U 

(c) EI RI 

By confluence, as in (a) but with T = T" = U" = U'. 

(d) ES -> RS 

Assume that we have the following deduction: 

a <_4 b 



T *<- C a t < CH ->* U 

E 



T < U 

Then, T = C a u with t ->* m and [/ = C h v with t -►* v. By conflu- 
ence, there exists w such that u — ►* w *<— v. So, the deduction can be 
transformed into: 

a <a b 

■S 



C a w < Cw *^ U 

R 



T < U 
(e) E(Ex) Ex 
Immediate. 

Now, the rewrite system defined by these transformation rules is clearly ter- 
minating and confluent (there is no critical pair) . Since it defines E completely, 
no normal form of a closed term may contain E. 
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Figure 10: 
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Some of these rules are particular instances of the following more general trans- 
formations: 

{k'){q') Txl -» a; 

(n')(v') Tx(Ry) - R(Txy) 
(to') T(Rx)(Ly) - Tx(Ly) 
(«') Tx(LI) -» Px 
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